Malicious npm Package Poses as OpenClaw Installer Uses RAT, Steals macOS Credentials

Cybersecurity researchers discovered a malicious npm package that pretends to be an OpenClaw installer to launch a remote access trojan (RAT) and steal sensitive data from vulnerable hosts.

The package, named “@openclaw-ai/openclawai,” was uploaded to a registry by a user named “openclaw-ai” on March 3, 2026. It has been downloaded 178 times so far. The library is still available for download until the end.

JFrog, which discovered the package, said it was designed to steal system information, browser data, crypto wallets, SSH keys, the Apple Keychain database, and iMessage history, as well as install a persistent RAT with remote access capabilities, a SOCKS5 proxy, and a live browser session.

“This attack is notable for its extensive data collection, its use of social engineering to harvest the victim’s system password, and the sophistication of its persistence and C2. [command-and-control] infrastructure,” said security researcher Meitar Palas. “Internally, the malware presents itself as GhostLoader.”

Malicious understanding is started using an install hook, which reinstalls the package globally using the command: “npm i -g @openclaw-ai/openclawai.” Once the installation is complete, the OpenClaw binary points to “scripts/setup.js” using the “bin” property in the “package.json” file.

It’s worth noting that the “bin” field is used to define executable files that should be added to the user’s PATH during package installation. This, turns the package into a globally accessible command line tool.

The “setup.js” file acts as a first-stage droplet that, when running, displays a convincing command-line interface with animated progress bars to give the impression that OpenClaw is installed on the host. After the target installation step is completed, the script displays a fake iCloud Keychain authentication prompt, asking users to enter their system password.

At the same time, the script returns an encrypted second-stage JavaScript payload to the C2 server (“trackpipe[.]dev”), which is then decoded, written to a temporary file, and released as a detached child process to continue running in the background. The template file is deleted after 60 seconds to close the activity trace.

“If the Safari directory is not accessible (no Full Disk Access), the script displays an AppleScript dialog asking the user to provide FDA in Terminal, complete with step-by-step instructions and a button that opens System Preferences directly,” JFrog explained. “This allows a second-stage upload to steal Apple’s Notes, iMessage, Safari history, and Mail data.”

The second JavaScript layer, with about 11,700 lines, is a full data theft and RAT framework capable of persistence, data collection, browser decryption, C2 communication, SOCKS5 proxy, and live browser integration. It is also equipped to steal a wide variety of data –

• macOS Keychain, including both the local login.keychain-db and all iCloud Keychain databases
• Authentication, cookies, credit card, and autofill data from all Chromium-based browsers, such as Google Chrome, Microsoft Edge, Brave, Vivaldi, Opera, Yandex, and Comet
• Data from desktop wallet applications and browser extensions
• Cryptocurrency wallet seed phrases
• SSH keys
• Developer and cloud certifications for AWS, Microsoft Azure, Google Cloud, Kubernetes, Docker, and GitHub
• Artificial intelligence (AI) agent configuration, and
• Data protected by the FDA, including Apple Notes, iMessage history, Safari browsing history, Mail account settings, and Apple account information

In the final stage, the collected data is compressed into a tar.gz archive and released through multiple channels, including directly to the C2 server, Telegram Bot API, and GoFile.io.

In addition, the malware enters a persistent daemon mode that allows it to monitor the contents of the clipboard every three seconds and transmit any data that matches one of nine predefined patterns corresponding to private keys, WIF key, SOL private key, RSA private key, BTC address, Ethereum address, AWS key, OpenAI key, and Strike key.

Other features include keeping tabs on running processes, scanning incoming iMessage conversations in real time, and making commands sent from the C2 server to run a shell command arbitrarily, open a URL in the victim’s default browser, download additional payloads, upload files, start/stop the SOCKS5 proxy, list available browsers, compile a browser profile, configure it with the headstructure itself.

The browser integration function is particularly dangerous as it launches a headless Chromium instance with an existing browser profile that contains cookies, login, and history data. This gives the attacker a fully authenticated browser session without the need to access credentials.

“The @openclaw-ai/openclawai package combines social engineering, encrypted payload delivery, extensive data collection, and a persistent RAT into a single npm package,” JFrog said.

“The fake installer’s polished CLI and Keychain credentials are convincing enough to extract system passwords from unsuspecting developers, and once intercepted, those credentials unlock macOS Keychain encryption and extract browser credentials that would otherwise be blocked by OS-level protections.”